From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Date: 09/06/2013 10:42 AM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 10:39 AM -0500 espeake@oreillyauto.com wrote:
root@tntest-ldap-3:~# ldapwhoami -d -1 -Wx -D "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
Debug output from ldapwhoami is useless
ldap_bind: Invalid credentials (49)
This error can indicate any of a number of things:
a) Wrong password b) Acls block the ability to auth to the password c) The DN specified doesn't exist
What you would need to provide is the debug output from *slapd* to see which of a, b, or c was the problem.
--Quanah
--
Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.
Here is the slapd debug.
Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: conn=1015 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (userPassword) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_get: [1] attr userPassword Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: to value by "", (=0) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_mask: no more <who> clauses, returning =0 (stop) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => slap_access_allowed: auth access denied by =0 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: no more rules Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 slapd[20347]: last message repeated 3 times Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: EQUALITY Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: EQUALITY Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_access_allowed: granted to database root Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (objectClass) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (objectClass) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (uid) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (description) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdPolicySubentry) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (structuralObjectClass) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access to "cn=accesslog" "children" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access to "reqStart=20130906160125.000000Z,cn=accesslog" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (entryUUID) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (creatorsName) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (createTimestamp) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdHistory) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (pwdHistory) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (userPassword) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdChangedTime) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdFailureTime) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (pwdFailureTime) Sep 6 11:01:25 slapd[20347]: last message repeated 33 times Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (entryCSN) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (modifiersName) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (modifyTimestamp) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (entryDN) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (entryDN) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (subschemaSubentry) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (subschemaSubentry) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (hasSubordinates) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (hasSubordinates) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (objectClass) Sep 6 11:01:25 tntest-ldap-1 rsyslogd-2177: imuxsock begins to drop messages from pid 20347 due to rate-limiting Sep 6 11:01:27 tntest-ldap-1 rsyslogd-2177: imuxsock lost 116 messages from pid 20347 due to rate-limiting
Thanks, Eric
This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: CA5BC600DE5.AFB93
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com wrote:
Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.
Did you mean to paste your rules in here and forget? ;)
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:45 AM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com wrote:
Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.
Did you mean to paste your rules in here and forget? ;)
--Quanah
Yep. had a hungry child calling me while I was trying to get this out.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" read by * none olcAccess: {8}to * by self read by users read
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 5D29E600DE9.AF853
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, September 06, 2013 11:52 AM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:45 AM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com wrote:
Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.
Did you mean to paste your rules in here and forget? ;)
--Quanah
Yep. had a hungry child calling me while I was trying to get this out.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
As you have no break clause, this is the only ACL that ever applies. Since there is no anonymous read access to userPassword, it is impossible to authenticate as any user. Thus your inability to authenticate any user is entirely caused by your broken ACLs.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:56 AM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 11:52 AM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:45 AM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com wrote:
Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.
Did you mean to paste your rules in here and forget? ;)
--Quanah
Yep. had a hungry child calling me while I was trying to get this out.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
As you have no break clause, this is the only ACL that ever applies. Since
there is no anonymous read access to userPassword, it is impossible to authenticate as any user. Thus your inability to authenticate any user is entirely caused by your broken ACLs.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration Here is the ldif I created and used with ldapmodify
dn: olcDatabase={1}hdb,cn=config changetype: modify
delete: olcAccess
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" read by * none olcAccess: {8}to * by self read by users read
I confirmed the changes by looking at the LDIF that the changes were made. Even though it's not supposed to be needed, I restarted the slapd service. TO me it looks like it is reading the break and moving to rule {2} but still no love or authentication.
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: conn=1019 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (userPassword) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [1] attr userPassword Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "", (=0) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: * Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: [6] applying +0 (break) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: [6] mask: =0 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => dn: [2] dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [2] matched Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [2] attr userPassword Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "", (=0) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: no more <who> clauses, returning =0 (stop) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => slap_access_allowed: auth access denied by =0 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: no more rules Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 slapd[22140]: last message repeated 3 times Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: EQUALITY Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 5 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: EQUALITY Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 5 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_access_allowed: granted to database root Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (objectClass) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result was in cache (objectClass) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (uid) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (description) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested
etc...
Thanks, Eric -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 03F51600DDF.A307B
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com wrote:
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break
This should be "by * break" not "break"
I confirmed the changes by looking at the LDIF that the changes were made. Even though it's not supposed to be needed, I restarted the slapd service. TO me it looks like it is reading the break and moving to rule {2} but still no love or authentication.
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "", (=0) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: no more <who> clauses, returning =0 (stop)
As noted in the SLAPD.ACCESS(5) man page:
The search operation, requires search (=s) privileges on the entry pseudo-attribute of the searchBase (NOTE: this was introduced with OpenLDAP 2.4). Then, for each entry, it requires search (=s) privi- leges on the attributes that are defined in the filter. The resulting entries are finally tested for read (=r) privileges on the pseudo- attribute entry (for read access to the entry itself) and for read (=r) access on each value of each attribute that is requested. Also, for each referral object used in generating continuation references, the operation requires read (=r) access on the pseudo-attribute entry (for read access to the referral object itself), as well as read (=r) access to the attribute holding the referral information (generally the ref attribute).
You have no ACL granting access to the pseudo-attribute "entry".
I personally have as my last ACL:
olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 12:29 PM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com wrote:
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break
This should be "by * break" not "break"
You have no ACL granting access to the pseudo-attribute "entry".
I personally have as my last ACL:
olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Here is the access list from a new slapcat, this is for olcDatabase={1}hdb
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base ="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=p asswordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNa mes/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" w rite by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=o reillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember ="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree= "ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=own er write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreill yauto,dc=com" read by * none olcAccess: {8}to * by self read by users read olcAccess: {9} to attrs=entry by dn.children="cn=admins" write by * read
and here is the debug.
Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: conn=2777 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (userPassword) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_get: [1] attr userPassword Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_mask: to value by "", (=0) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= check a_dn_pat: * Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= acl_mask: [6] applying +0 (break) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= acl_mask: [6] mask: =0 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => dn: [2] dc=oreillyauto,dc=com Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_get: [2] matched Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_get: [2] attr userPassword Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => acl_mask: to value by "", (=0) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= acl_mask: no more <who> clauses, returning =0 (stop) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => slap_access_allowed: auth access denied by =0 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: no more rules Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 13:28:29 slapd[22892]: last message repeated 3 times Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => test_filter Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: PRESENT Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= test_filter 6 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => test_filter Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: PRESENT Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= test_filter 6 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => test_filter Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: EQUALITY Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= test_filter 5 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => test_filter Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: EQUALITY Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= test_filter 5 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= acl_access_allowed: granted to database root Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => test_filter Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: PRESENT Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= test_filter 6 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (objectClass) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => test_filter Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: PRESENT Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result was in cache (objectClass) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (uid) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (description) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (pwdPolicySubentry) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (structuralObjectClass) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (entryUUID) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (creatorsName) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= test_filter 6 Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (objectClass) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result was in cache (objectClass) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (uid) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (description) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (pwdPolicySubentry) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (structuralObjectClass) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (entryUUID) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (creatorsName) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (createTimestamp) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (pwdHistory) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result was in cache (pwdHistory) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (userPassword) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (pwdChangedTime) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (pwdFailureTime) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result was in cache (pwdFailureTime) Sep 6 13:28:29 slapd[22892]: last message repeated 11 times Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (createTimestamp) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (pwdHistory) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result was in cache (pwdHistory) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: result not in cache (userPassword) Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: <= root access granted Sep 6 13:28:29 tntest-ldap-1 slapd[22892]: => access_allowed: read access granted by manage(=mwrscxd)
Thank, Eric -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: E7DF7600DE2.A1C62
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, September 06, 2013 1:46 PM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 12:29 PM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com wrote:
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break
This should be "by * break" not "break"
You have no ACL granting access to the pseudo-attribute "entry".
I personally have as my last ACL:
olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Here is the access list from a new slapcat, this is for olcDatabase={1}hdb
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base ="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=p asswordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNa mes/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" w rite by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=o reillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember ="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree= "ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=own er write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreill yauto,dc=com" read by * none olcAccess: {8}to * by self read by users read olcAccess: {9} to attrs=entry by dn.children="cn=admins" write by * read
Your acls are still clearly a mess.
olcAccess{1} blocks access to most of the tree for everything but two identities.
I would also note that ACL 9 is clearly never going to be evaluated because ACL{8} covers everything, and has no break clause.
I would also note that ACL2 is a significant security risk, as it grants read access on the user password attribute to anonymous, instead of AUTH access.
I would note that ACLs 5, 6, and 7 will never be evaluated because of ACL{1}
I would note that ACLS 3, 4, and 8 likely do not do anything, given ACL{1}, since the majority of the tree is closed to them. You probably want a by * break on ACL{1} as well.
I would note that the general way in which you've structured your ACLs makes them difficult to evaluate and maintain.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 02:14 PM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 1:46 PM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 12:29 PM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com wrote:
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break
This should be "by * break" not "break"
You have no ACL granting access to the pseudo-attribute "entry".
I personally have as my last ACL:
olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Here is the access list from a new slapcat, this is for olcDatabase=
{1}hdb
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base ="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=p asswordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNa mes/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" w rite by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=o reillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember ="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree= "ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=own er write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreill
yauto,dc=com" read by * none olcAccess: {8}to * by self read by users read olcAccess: {9} to attrs=entry by dn.children="cn=admins" write by * read
Your acls are still clearly a mess.
olcAccess{1} blocks access to most of the tree for everything but two identities.
I would also note that ACL 9 is clearly never going to be evaluated because
ACL{8} covers everything, and has no break clause.
I would also note that ACL2 is a significant security risk, as it grants read access on the user password attribute to anonymous, instead of AUTH access.
I would note that ACLs 5, 6, and 7 will never be evaluated because of ACL {1}
I would note that ACLS 3, 4, and 8 likely do not do anything, given ACL{1},
since the majority of the tree is closed to them. You probably want a by *
break on ACL{1} as well.
I would note that the general way in which you've structured your ACLs makes them difficult to evaluate and maintain.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
This was definately an issue with the ACL's I took down to three for testing and I will work on any areas our team deems to be a security issue.
Thank you for all of your help.
Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, September 06, 2013 4:34 PM -0500 espeake@oreillyauto.com wrote:
This was definitely an issue with the ACL's I took down to three for testing and I will work on any areas our team deems to be a security issue.
Glad you were able to able to get this resolved. Learning how to process ACLs can be tricky initially, but once you gain a solid understanding of them, it'll be easier in the future. You could vastly simplify the ACLs you had by proper ordering and using groups for your read/write users. ;)
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount quanah@zimbra.com schrieb am 06.09.2013 um 19:29 in
Nachricht <1EE1A6F821B05E0A922420DE@[192.168.1.22]>:
--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com wrote:
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break
This should be "by * break" not "break"
Eric seems somwheat "consultant resistant", because I suggested a sample working pattern on 29.08.2013 08:46:24 that includes "by * break" to start with. ;-)
[...]
openldap-technical@openldap.org
-
espeake@oreillyauto.com -
Quanah Gibson-Mount -
Ulrich Windl